What

=====

 

RODC is a new feature unleashed with windows server 2008. Read-only Domain Controllers differentiate from Domain Controllers with writable AD replica in three basic aspects:

- Read-only replica of AD database.

- On-demand replication of account passwords.

- Ability to delegate administrative rights independently on other read-only domain controllers or writable domain controllers.

 

 

Why

====

 

It is designed to minimize risks introduced by running Domain Controller in less-secure locations such as branch offices or extranet networks.

No changes to AD database content are possible on RODC. All objects in RODC AD replica are read-only and can change only by means of AD replication from an upstream domain controller.

 

The replication partner cannot be: - Pre-Longhorn Domain controller. - Another RODC.

 

 

Features

=========

 

RODC by default does not replicate passwords of user and computer accounts into its replica of AD database.

By limiting credential caching to only users who have authenticated to the RODC and are allowed by the Password Replication Policy to have credentials cached, the potential exposure of credentials by a compromise of the RODC is limited. This is because, typically, only a small subset of domain accounts has their credentials cached on any given RODC. Therefore, in the event that the RODC is stolen, only those credentials that are cached can become subject to any cracking attempt.

 

Password replication policy is the list of rules that specify which accounts can have passwords replicated to Read-only Domain controller. Every RODC has its own Password Replication policy – it is linked to the computer account of the Domain Controller.

 

Read-Only Domain Controller offers the possibility to delegate a certain level of access on single machine – without affecting any other domain controller in the domain of forest So the user account who has been delegated authority on RODC wont b able to access other domain controllers in domain.

 

Limitations

===========

 

RODC brings additional requirements to forest infrastructure. You cannot run RODC in a forest with Windows 2000 domain controllers.

 

RODC needs at least one full Longhorn DC in the domain. RODC cannot replicate from Windows 2003 domain controller and cannot bridge client authentication to Windows 2003 domain controller.

 

RODC cannot satisfy any write operations. All write operations are referred to full DC.

 

When connection to full Longhorn DC is broken, only users with credentials already cached on RODC are able to log on. Only resources having their passwords cached on RODC will be accessible.

               

RODC cannot be a Global Catalog

 

Prerequisites

==============

 

- Domain and Forest functional levels must be Windows 2003 or higher.

- Full Longhorn Domain Controller from the same domain must be a replication partner for RODC.

- PDC emulator FSMO role must be held by Full Longhorn Domain Controller.

- Longhorn Server ADPrep /rodcprep must be run.

RODC cannot be deployed in mixed Windows 2000/Windows 2003 environments.

 

Sometimes a damaged volume may look like it lost its file system and CHKDSK tool will complain that file system is raw

The type of the file system is RAW.

this is a curious issue as seen here

=========

what the hell is a RAW file system?—

http://www.microsoft.com/technet/archive/community/columns/inside/techans9.mspx?mfr=true

what the hell is a RAW file system?—is easy enough to answer. It's simply a disk partition that has not been

formatted with an NT file system, neither FAT nor NTFS.

=========

so what is this raw or as said raw file system, it is nothing but a system supplied file system driver that is the

"last resort" for all I/O requests requiring file system support. When the I/O manager calls active file systems

 to mount a volume, RAW is always called last because it supports all disk and tape media.

However, RAW supplies very primitive file handling capabilities. That is, it does not impose any on-disk file

structure or metadata structures for the information about the media; it simply allows read/write access

to the logical blocks on the physical disk. For example, it treats the whole disk as a single file and supplies

physical-disk-level access to the disk.

 

If a device is being driven in raw mode, it has no function driver and no upper or lower-level filter drivers.

All raw-mode I/O is done by the bus driver and optional bus filter drivers.

 

Note, however, that a bus driver does not handle read and write requests for the devices on its bus.

Read and write requests to a device are handled by the device's function driver only. Only if the device

is being used in raw mode does the parent bus driver handle reads and writes for the device.

ok the above extract is from DDK ...now lets see where can i see this happening

 

 

 

here you see that it is for rawtape, rawcdrom, rawdisk (I am using device and driver explorer here )

 

 

 

so how can i reproduce this issue--raw file system reported by chkdsk --we can use dskprobe from http://technet2.microsoft.com/WindowsServer/en/library/006902f1-bae9-4055-9ad2-123ea19006b71033.mspx 

and repro this issue ( please do not try this on a production or home machine -you may loose data)

There are two places where we store file system information as seen below

1 MBR partition Table

2 Volumes' boot sector

When the file system information provided on these 2 sectors of disk is not good you may see chkdsk reporting raw file

system (though the data is still there)

 

 

 

 

A Raw volume is a volume that was never formatted and does not contain a File System

http://support.microsoft.com/kb/929662

 

so just to play i did same on my test machine and removed OEM ID string on D drives Volume boot sector and yes this is

my production machine containing lots of data, Now when i try to access D drive it asks do you want to format it...

..Of course NOT

As if we format we will lose all the data on D drive.

I tried running Chkdsk and you can see results below. It says, type of File System is raw. Chkdsk is not available for raw drives.

I reversed my changes using dskprobe again (added NTFS IN OEM ID string) and Yes my data is back and D drive is  accessible.

 

 

===========================

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.

 

 

Via this blog I have just tried to show What exactly happens when a new process is created and what all structures are required and parameters

passed to that process.

 

What ever mentioned below is all extracted from different places of windows SDK and I have tried to forward a easy picture for understanding

purpose.

 

The CreateProcessAsUser function creates a new process and its primary thread. The new process then runs the specified executable file.

There are other functions also for creating process like CreateProcess and CreateprocessWithLogonW but I have chosen

CreateProcessAsUser one to explain.

 

BOOL CreateProcessAsUser(

  HANDLE hToken,

  LPCTSTR lpApplicationName,

  LPTSTR lpCommandLine,

  LPSECURITY_ATTRIBUTES lpProcessAttributes,

  LPSECURITY_ATTRIBUTES lpThreadAttributes,

  BOOL bInheritHandles,

  DWORD dwCreationFlags,

  LPVOID lpEnvironment,

  LPCTSTR lpCurrentDirectory,

  LPSTARTUPINFO lpStartupInfo,

  LPPROCESS_INFORMATION lpProcessInformation

);

 

 

 

Now a little explained version in regards to all the parameters passed to the function CreateProcessAsUser

 

 

BOOL CreateProcessAsUser(

  HANDLE hToken,-------------- Handle to a primary token that represents a user.

  LPCTSTR lpApplicationName,------------ Pointer to a null-terminated string that specifies the module to execute.

 The specified module can be a Windows-based application.

  LPTSTR lpCommandLine, --------Pointer to a null-terminated string that specifies the command line to execute.

If both lpApplicationName and lpCommandLine are non-NULL, *lpApplicationName specifies the module to execute, 

and *lpCommandLine specifies the command line.

  LPSECURITY_ATTRIBUTES lpProcessAttributes,------------- Pointer to a SECURITY_ATTRIBUTES structure that specifies

 a security descriptor for the new process and determines whether child processes can inherit the returned handle. If lpProcessAttributes 

is NULL or lpSecurityDescriptor  is NULL, the process gets a default security descriptor and the handle cannot be inherited. 

The default security descriptor is that of the user referenced in the hToken parameter. This security descriptor may not allow access for the caller, 

in which case the process may not be opened again after it is run. The process handle is valid and will continue to have full access rights.

 lpSecurityDescriptor

A pointer to a security descriptor for the object that controls the sharing of it. If NULL is specified for this member, the object

is assigned the default security descriptor of the calling process. This is not the same as granting access to everyone by

assigning a NULL discretionary access control list (DACL). The default security descriptor is based on the default DACL of

the access token belonging to the calling process. By default, the default DACL in the access token of a process allows access

only to the user represented by the access token. If other users must access the object, you can either create a security

descriptor with the appropriate access, or add ACEs to the DACL that grants access to a group of users.

  LPSECURITY_ATTRIBUTES lpThreadAttributes, ---Pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor

 for the new process and determines whether child processes can inherit the returned handle. If lpThreadAttributes is NULL or

 lpSecurityDescriptor is NULL, the thread gets a default security descriptor and the handle cannot be inherited. The default security

 descriptor is that of the user referenced in the hToken parameter. This security descriptor may not allow access for the caller.

  BOOL bInheritHandles,----- If this parameter is TRUE, each inheritable handle in the calling process is inherited by the new process. 

If the parameter is FALSE, the handles are not inherited. Note that inherited handles have the same value and access rights as the original handles.

  DWORD dwCreationFlags,--- control the priority class and the creation of the process. 

The GetPriorityClass function retrieves the priority class for the specified process. This value, together with the priority value of each thread 

of the process, determines each thread's base priority level. The operating system uses the base priority level of all executable threads to

determine which thread gets the next slice of CPU time. Threads are scheduled in a round-robin fashion at each priority level, and only when

 there are no executable threads at a higher level will scheduling of threads at a lower level take place.

  LPVOID lpEnvironment,------ Pointer to an environment block for the new process. If this parameter is NULL, the new process uses

 the environment of the calling process.

  LPCTSTR lpCurrentDirectory,------------ Pointer to a null-terminated string that specifies the full path to the current directory for

 the process. If this parameter is NULL, the new process will have the same current drive and directory as the calling process.

  LPSTARTUPINFO lpStartupInfo,---------- Pointer to a STARTUPINFO structure that specifies the window station, desktop, standard

 handles, and appearance of the main window for the new process.

For graphical user interface (GUI) processes, this information affects the first window created by the CreateWindow function and 

shown by the ShowWindow function. For console processes, this information affects the console window if a new console is created

 for the process.  A process can use the GetStartupInfo function to retrieve the STARTUPINFO structure specified when the process

 was created.

  LPPROCESS_INFORMATION lpProcessInformation-----------Pointer to a PROCESS_INFORMATION structure that receives identification 

information about the new process. This structure contains information about the newly created process and its primary thread.

 typedef struct _PROCESS_INFORMATION {

  HANDLE hProcess;

  HANDLE hThread;

  DWORD dwProcessId;

  DWORD dwThreadId;

} PROCESS_INFORMATION, 

*LPPROCESS_INFORMATION;

If the function succeeds, be sure to call the CloseHandle function to close the hProcess and hThread handles when you are finished with them. 

Otherwise, when the child process exits, the system cannot clean up these handles because the parent process did not close them. 

However, the system will close these handles when the parent process terminates, so they would be cleaned up at this point.

);

 

By default, CreateProcessAsUser creates the new process on a noninteractive window station with a desktop that is not visible and cannot

receive user input. To enable user interaction with the new process, you must specify the name of the default interactive window station and

desktop, "winsta0\default",in the lpDesktop member of the STARTUPINFO structure.

 

The preferred way to shut down a process is by using the ExitProcess function, because this function sends notification of approaching

termination to all DLLs attached to the process. Other means of shutting down a process do not notify the attached DLLs. Note that when

a thread calls ExitProcess, other threads of the process are terminated without an opportunity to execute any additional code (including

the thread termination code of attached DLLs).

 

PLEASE LEVEAGE THE WINDOWS SDK FOR MORE ON SAME.

 

===========================

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.

One of the best public document which talks about Registry internals is by Mark Russinovich and I will recommend same before you go ahead with this article.

http://www.microsoft.com/technet/archive/winntas/tips/winntmag/inreg.mspx?mfr=true

Make sure before proceeding ahead you go through Mark's Article.

Ok..so now as you have read that article..you know how registry is broken into blocks, bins, cells and stored in memory or disk.

 

Now lets see the same via Live debugger and see the same structures.....

0: kd> !reg hivelist

 

-------------------------------------------------------------------------------------------------------------

| HiveAddr |Stable Length|Stable Map|Volatile Length|Volatile Map|MappedViews|PinnedViews|U(Cnt)| BaseBlock | FileName

-------------------------------------------------------------------------------------------------------------

| e1008950 |       1000  | e10089b0 |       1000    |  e1008aec  |        0  |        0  |     0| e1014000  | <NONAME>

| e1019458 |     364000  | e1021000 |      24000    |  e10195f4  |      166  |        0  |     0| e101e000  | SYSTEM

| e1392008 |       b000  | e1392068 |       4000    |  e13921a4  |        0  |        0  |     0| e1393000  | <NONAME>

| e2081a80 |       f000  | e2081ae0 |       1000    |  e2081c1c  |        4  |        0  |     0| e2063000  | emRoot\System32\Config\SECURITY

| e1626a80 |      3b000  | e1626ae0 |       1000    |  e1626c1c  |       15  |        0  |     0| e205b000  | temRoot\System32\Config\DEFAULT

| e1484008 |       8000  | e1484068 |          0    |  00000000  |        3  |        0  |     0| e1669000  | \SystemRoot\System32\Config\SAM

| e162fa80 |    1d9a000  | e1666000 |      1d000    |  e162fc1c  |      255  |        0  |     0| e1ff9000  | emRoot\System32\Config\SOFTWARE

| e24cc830 |      35000  | e24cc890 |       1000    |  e24cc9cc  |       14  |        0  |     0| e251d000  | tings\NetworkService\ntuser.dat

| e24c81a8 |       1000  | e24c8208 |          0    |  00000000  |        1  |        0  |     0| e2523000  | \Microsoft\Windows\UsrClass.dat

| e253d798 |      35000  | e253d7f8 |       1000    |  e253d934  |       14  |        0  |     0| e254c000  | ettings\LocalService\ntuser.dat

| e2551008 |       1000  | e2551068 |          0    |  00000000  |        1  |        0  |     0| e2552000  | \Microsoft\Windows\UsrClass.dat

| e24fd0c0 |     2cb000  | e2ff8000 |       2000    |  e24fd25c  |      159  |        0  |     0| e24f9000  |  and Settings\ganand\ntuser.dat

| e302e008 |       9000  | e302e068 |          0    |  00000000  |        3  |        0  |     0| e309d000  | \Microsoft\Windows\UsrClass.dat

-------------------------------------------------------------------------------------------------------------

I dumped out the hive lists on my machine..as registry is maintained as hives and not what we see when we open regedit..thats only visual registry. we see the address of the system hive right now loaded in kernel mode as you can figure out from address.

 

Now we dumped the system hive

0: kd> dt nt!hhive e1019458

nt!HHIVE

   +0x000 Signature        : 0xbee0bee0

   +0x004 GetCellRoutine   : 0x8092d3ef     nt!HvpGetCellMapped+0

   +0x008 ReleaseCellRoutine : 0x8093db9d     nt!HvpReleaseCellMapped+0

   +0x00c Allocate         : 0x8091f642     nt!CmpAllocate+0

   +0x010 Free             : 0x8091f68d     nt!CmpFree+0

   +0x014 FileSetSize      : 0x8091e608     nt!CmpFileSetSize+0

   +0x018 FileWrite        : 0x8092798f     nt!CmpFileWrite+0

   +0x01c FileRead         : 0x808f6320     nt!CmpFileRead+0

   +0x020 FileFlush        : 0x80927615     nt!CmpFileFlush+0

   +0x024 BaseBlock        : 0xe101e000 _HBASE_BLOCK

   +0x028 DirtyVector      : _RTL_BITMAP

   +0x030 DirtyCount       : 0

   +0x034 DirtyAlloc       : 0x364

   +0x038 BaseBlockAlloc   : 0x1000

   +0x03c Cluster          : 1

   +0x040 Flat             : 0 ''

   +0x041 ReadOnly         : 0 ''

   +0x042 Log              : 0x1 ''

   +0x043 DirtyFlag        : 0x1 ''

   +0x044 HiveFlags        : 0

   +0x048 LogSize          : 0x400

   +0x04c RefreshCount     : 0

   +0x050 StorageTypeCount : 2

   +0x054 Version          : 5

   +0x058 Storage          : [2] _DUAL

0: kd> dt nt!cmhive e1019458

nt!CMHIVE

   +0x000 Hive             : _HHIVE

   +0x2d0 FileHandles      : [3] 0x8000031c--------------------------------------handles to the hive

   +0x2dc NotifyList       : _LIST_ENTRY [ 0xe139b678 - 0x0 ]

   +0x2e4 HiveList         : _LIST_ENTRY [ 0xe13922ec - 0xe1008c34 ]

   +0x2ec HiveLock         : _EX_PUSH_LOCK

   +0x2f0 ViewLock         : 0x89b8f1a8 _KGUARDED_MUTEX

   +0x2f4 WriterLock       : _EX_PUSH_LOCK

   +0x2f8 FlusherLock      : _EX_PUSH_LOCK

   +0x2fc SecurityLock     : _EX_PUSH_LOCK

   +0x300 LRUViewListHead  : _LIST_ENTRY [ 0xe34b4598 - 0xe359d690 ]

   +0x308 PinViewListHead  : _LIST_ENTRY [ 0xe1019760 - 0xe1019760 ]

   +0x310 FileObject       : 0x89835df8 _FILE_OBJECT--------------------address of the file object

   +0x314 FileFullPath     : _UNICODE_STRING "\Device\HarddiskVolume1\WINNT\system32\config\system"------------------path on disk

   +0x31c FileUserName     : _UNICODE_STRING ""

   +0x324 MappedViews      : 0xa6

   +0x326 PinnedViews      : 0

   +0x328 UseCount         : 0

   +0x32c SecurityCount    : 0x5b

   +0x330 SecurityCacheSize : 0x60

   +0x334 SecurityHitHint  : 13

   +0x338 SecurityCache    : 0xe1391d00 _CM_KEY_SECURITY_CACHE_ENTRY

   +0x33c SecurityHash     : [64] _LIST_ENTRY [ 0xe1020138 - 0xe1020138 ]

   +0x53c UnloadEvent      : (null)

   +0x540 RootKcb          : (null)

   +0x544 Frozen           : 0 ''

   +0x548 UnloadWorkItem   : (null)

   +0x54c GrowOnlyMode     : 0 ''

   +0x550 GrowOffset       : 0

   +0x554 KcbConvertListHead : _LIST_ENTRY [ 0xe10199ac - 0xe10199ac ]

   +0x55c KnodeConvertListHead : _LIST_ENTRY [ 0xe10199b4 - 0xe10199b4 ]

   +0x564 CellRemapArray   : (null)

   +0x568 Flags            : 0

   +0x56c TrustClassEntry  : _LIST_ENTRY [ 0xe10199c4 - 0xe10199c4 ]

   +0x574 FlushCount       : 0x5a1

   +0x578 CreatorOwner     : (null)

Now lets go to the storage...

0: kd> dt nt!hhive e1019458 storage.

nt!HHIVE

Cannot find specified field members.

0: kd> dt nt!hhive e1019458 Storage.

nt!HHIVE

   +0x050 StorageTypeCount : 2

   +0x058 Storage  : [2]

      +0x000 Length   : 0x364000

      +0x004 Map      : 0xe1021000 _HMAP_DIRECTORY---map directory used by configuration manager..this is equivalent to PDE in terms of memory management

      +0x008 SmallDir : (null)

      +0x00c Guard    : 0xffffffff

      +0x010 FreeDisplay : [24] _FREE_DISPLAY

      +0x130 FreeSummary : 0x100a5f

      +0x134 FreeBins : _LIST_ENTRY [ 0xe10195e4 - 0xe10195e4 ]---free bins for this hive

 

0: kd> dt 0xe1021000 _HMAP_DIRECTORY

   +0x000 Directory        : [1024] 0xe1022000 _HMAP_TABLE---so first we went to hive directory address and from there we figured out hive table address and from there we got block offset. In this case cell index in configuration manager is equivalent to PFN in case of memory manager.

0: kd> dt  0xe1022000 _HMAP_TABLE

   +0x000 Table            : [512] _HMAP_ENTRY

0: kd> dt 0xe1021000 _HMAP_ENTRY

   +0x000 BlockAddress     : 0xe1022000-----------------

   +0x004 BinAddress       : 0xe1024000---------------------------

   +0x008 CmView           : (null)

   +0x00c MemAlloc         : 0

So now we have reached to the block and inside the block we have reached to the bin….from here we will go to that cell…

Now just to prove that we are on right track..let me achieve the same via debugger ….for that we have !reg cellindex

 

0: kd> !reg baseblock e1019458

 

FileName :  SYSTEM

Signature:  HBASE_BLOCK_SIGNATURE

Sequence1:  1a0f

Sequence2:  1a0f

TimeStamp:  1c84fa5 ac4d292c

Major    :  1

Minor    :  5

Type     :  HFILE_TYPE_PRIMARY

Format   :  HBASE_FORMAT_MEMORY

RootCell :  20

Length   :  364000

Cluster  :  1

CheckSum :  346bbc65

0: kd> !reg cellindex e1019458 20

 

Map = e1021000 Type = 0 Table = 0 Block = 0 Offset = 20

MapTable     = e1022000

 

pcell:  de441024--------------this is the address of the cell

 

==========

 

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.